Data protection law: Joint controllership (also) for the "Like" button

By judgment of July 29, 2019, the European Court of Justice (ECJ) ruled in Case C-40/17 ("Fashion ID") that a website operator who incorporates Facebook's "Like" button into its pages is jointly responsible with Facebook for the processing of personal data of website visitors.

Background

The subject of the proceedings, in which the Düsseldorf Higher Regional Court had referred a number of questions of interpretation to the ECJ for a preliminary ruling, is a so-called social media plug-in, the "Like" button on Facebook, which results in certain personal data of this visitor being transferred to Facebook when a visitor accesses the website concerned. In the specific case, this transfer took place regardless of whether the visitor is a Facebook member, clicks on the social media plugin and without further explanation of the data transfer.

The association ”Verbraucherzentrale NRW” considered the integration of the "Like" button on the pages of Fashion ID, an online retailer for fashion articles, a violation of several data protection provisions.

Decision

First of all, the ECJ states that neither the old Data Protection Directive nor the new General Data Protection Regulation (GDPR) opposes the civil law procedure of the Verbraucherzentrale NRW.

When assessing the responsibility for the data processing operations in connection with the "Like" button, the ECJ differentiates: The website operator is jointly liable with Facebook for the collection of the data in question and their forwarding to Facebook. After the transmission, however, Facebook is solely responsible.

Background is that the integration of the social media plugin enables the website operator to optimize his own advertising, which is given a greater reach by Facebook when the "Like" button is clicked. The ECJ is focusing significantly on this economic advantage in order to assign joint controllership to website operators until the data transfer to Facebook has been completed. The website operator therefore approves the processing of personal data in order to benefit from the improved advertising opportunities.

Comments

In this case, the decision is not surprising. In its ruling of June 5, 2018 (Case C-210/16), the ECJ had already ruled that the operator of a Facebook fan page is jointly responsible with Facebook for the collection and processing of personal data. The court transfers the reasoning behind this decision to the "Fashion ID" case. It should also apply accordingly to other social media plug-ins that enable the processing of personal data.

This means that website operators who include the "Like" button must provide certain mandatory information about the joint data processing operations. In order to support the website operators in this, it can be assumed that Facebook - as in the follow-up to the C-210/16 proceedings - will provide an agreement on joint controllership relatively soon. In addition, website operators must ensure that there is a suitable legal basis - usually a declaration of consent - for the collection and transfer of data to Facebook. This could be done, for example, by means of suitably designed cookie banners or the transparent implementation of the so-called two-click solution.

However, the ECJ ruling is also remarkable for a completely different reason: It was not to be expected with certainty that the ECJ would grant the Verbraucherzentrale NRW the power of action for (competition law) action against Fashion ID. Since the GDPR came into force, the question of the right to take legal action in the case of data protection violations - and thus of their ability to issue cease and desist letters - has been highly controversial and is assessed differently by the German instance courts. With its decision of April 11, 2019 - File No. I ZR 186/17, the FCJ had suspended another case against Facebook for violations of data protection law with regard to precisely this question now decided by the ECJ. Subject to possible restrictions by the national legislator, it is now to be expected that data protection violations will increasingly be prosecuted by business and consumer associations in the future in accordance with competition law. However, it has still not been conclusively clarified whether companies are also entitled to sue in respect of data protection infringements committed by their competitors.

For website operators, this means that they should critically review the value of each plugin and use only those that actually add value. If such an added value is not determined, it should be waived in case of doubt in order to avoid unnecessary disputes.